Moving from Keepass to Lastpass

I've been a long time Keepass user, but working across multiple devices and having to manually sync my Keepass database was becoming an inconvenience. I was getting caught by "oh, that password is only over there" type problems so I needed to move to something that did that automatically. Enter Lastpass, a recommendation from the folks over at the Smashing Security podcast (and recently also Security Now). Here's how I'm finding it after the first month or so.

Migration process

The good news is you can import from Keepass to Lastpass. The bad news is you have to do this by exporting your passwords to an XML file - make sure you securely destroy the firewall afterwards! I'd done a bit of research in to this and come across this post by a chap called Mat. His advice saved me some time reorganising passwords with no site address as LastPass would have imported those as notes.

As a result of going through my Keepass database and attributing URLs to credentials I've also had a bit of a digital tidy up. I spent some time finding sites I don't use any more (or that no longer exist) and terminating my accounts to reduce the likelihood of being in any future data breaches.

I've noticed a bug during the import that sometimes the notes section of the Keepass entry is repeated in the LastPass notes field - haven't looked in to why as yet.

If you need to view your password history it's a case of editing the record and clicking the clock icon above the password. This then pops up a dialog showing the date of password changes so you can choose to view them. This history is not imported from Keepass though. Thanks to friend and reader Dan for pointing this out, so I could make this edit and correction.

Web interface

The LastPass interface is very different from that of Keepass, which doesn't really care what the password is that you're storing. Conversely, LastPass treats everything like a site, so expects an URL hence the problem when importing from Keepass. If something doesn't have an URL then it gets stored as a secure note. I suppose, ultimately, it doesn't matter as the information is stored and encrypted but it does annoy me semantically. It's not only the web interface that does this, but I felt it worth mentioning here.

As interfaces go, LastPass is quite clean with clear options. Navigation can be done via the side menu and the options are intuitive - the site is obviously designed to follow well established practices. The biggest down point is the interface is grey on grey and washed out / pale colours elsewhere, something that I can imagine would be a problem for my wife who has problems when there's low contrast.

The low contrast of the LastPass interface could be a problem for some (e.g. spotting that I'm a "free user").

Passwords can be stored in "folders" which is really a tag from what I can see. They do help with browsing through by category but I guess, as with everything these days, you're encouraged to use the search functionality rather than looking with your eyes. I'm still getting used to using search instead of clicking on things after finding them myself, shows my age I suppose.

Features such as import and the security challenge (see below) open new tabs in the browser, so you can find yourself with a plethora of tabs to close. Not the end of the world, but a bit unnecessary.

You can attach files to secure notes, but not passwords, which is different to Keepass (where I used to store SSH keys and passwords on one record). Storage of notes is dependent on the "binary version of the browser extension" which I've not installed yet. It looks like to do so requires a download from LastPass' site, rather than the Mozilla Firefox extensions store so care should be taken to ensure you really are on the LastPass site.

Also worth noting is that LastPass can automatically login to some sites and change the password to a randomly generated one. It does this by opening a new tab and performing the actions (autotype etc.) for you, then storing the new password in your vault. Sucessfully tested with Twitter :) .

Browser plugins

I was sceptical at how useful I'd find a browser plugin as I'm so used to just double clicking fields in Keepass and then pasting into the relevant place. "It saves time" apparently, "but it's seconds" I thought. After using the browser plugin on all my browsers on two different machines I'm happy to say I'm converted. While it only saves seconds it's also fair to note the experience on each site is improved simply because I don't have to switch to doing something else in order to login.

LastPass also supports form-filling based on profiles you configure. This can save more time as fields such as your name, address, username etc. are automatically populated. I appreciate browsers will do this too but don't forget LastPass will sync that across your devices.

Something important I saw as a comment on the LastPass blog: the password will only be auto-filled at the genuine site, not at a phishing page or otherwise malicious location. Certainly a bonus!

Android app

LastPass' Android app is something I use less often simply because I tend to use Android less when authenticating to websites (everything seems to have an app). The app has similar form-filling capabilities to the browser extension, also offering a built-in browser so there's no need to leave the LastPass app.

One thing I did notice was that LastPass hooks into Android's auto-fill mechanism (you have to enable it) meaning when other apps ask for authentication LastPass will complete that for you.

Password benefits - the security challenge

This is one of my favourite features of LastPass. The challenge will examine your passwords (having decrypted them locally I believe) and generate you a score based on password reuse, password strength and compromised passwords. At the moment I've got a 96% security score and am in the top 1% of LastPass users:

My LastPass security challenge result (no passwords shown!).

Primarily, I like the fact that LastPass has checked for each of these things. I've been around already and removed some password reuse that I either knew about (but didn't care: lab systems) or wasn't consciously aware of. Password reuse is a big problem, so I'm pleased LastPass consider this. I also like the gamified element to this - because the password reuse dropped my rating I felt compelled to do something about it. Gamification can be dangerous (for example people on StackOverflow just wanting a better rating, so contributing poor quality answers) but in this case I can only see it as a good thing.

A criticism though - password strength meters have been criticised in the past (see an interesting post by Troy Hunt) but I genuinely have no idea why LastPass thinks my really long password composed of random words (a Keybase paper key) is less secure than a random password of significantly fewer characters. Sadly they didn't comment when I Tweeted them.

Conclusion

Overall I think this was a good move to make: my passwords are synced and it does actually save time. My concerns about LastPass having my passwords were mooted after reading their how it works page and after finding a number of industry experts recommending and using their service. I still think there's a place for Keepass, say for shared password vaults within small teams but I'm glad to have made the switch personally.

When you sign up for a free account you get a free 30 day trial of LastPass Premium. Premium offers additional features including 2 factor authentication with a Yubikey, multiple sharing and encrypted storage. I don't have a need for those at the moment so haven't purchased the product. That said, I may well do so in future (it's about £2 a month at the moment).

On teams / organisations: LastPass (and others) do offer enterprise editions, where passwords can be shared and controlled. That's out of scope for this post though.

Banner image a hastily thrown together image made by me. Software logos copyright their respective owners.

Edit: A previous version of this post erroneously stated password history was not available in LastPass. This has been corrected.